Re: [exim-dev] Security issues in exim4 local delivery

Top Page
Delete this message
Reply to this message
Author: Dan Rosenberg
Date:  
To: Nigel Metheringham
CC: pdp, exim-dev
Subject: Re: [exim-dev] Security issues in exim4 local delivery
In that case, perhaps it's unnecessary to even package a new release -
I was unaware of the status of Exim as a project. Since both issues
can be easily mitigated with configuration changes, I wouldn't want to
create extra work for you if it's not going to make much of a
difference to users in the long run. Just let me know what you want
to do, and I'll either postpone until you've got time to package a
release or put out an advisory today so everyone can move on with
their lives.

-Dan

On Wed, May 26, 2010 at 3:36 PM, Nigel Metheringham
<nigel.metheringham@???> wrote:
> [Resent from a list friendly address]
>
> On 26 May 2010, at 19:01, Dan Rosenberg wrote:
>
>> I just noticed the Bugzilla entries for these issues. I wanted to
>> point out that the impact of the second bug is more than just
>> creating empty files - because of the chmod() call, permissions on
>> the victim's files may be changed.
>
> Noted.
>
>> That being said, I have yet to come across a system that uses MBX
>> locking, with a dependency on /tmp, AND allows symlink following on
>> /tmp. So I think it would be perfectly appropriate not to address
>> the race condition in the code in favor of making it explicitly
>> clear in the documentation that this particular combination of
>> configurations is potentially unsafe.
>
>> I'd like to publish an advisory for these issues, just in case any
>> users are affected and don't follow Exim upstream carefully. I'll
>> be sure to emphasize the somewhat low impact, which configurations
>> are vulnerable, and mitigation strategies.
>
>> Is there an idea of when 4.72 will be ready? Are there plans on
>> addressing the MBX issue further?
>
> I can't give a good answer to that.
>
> Exim development is currently effectively dead. We are averaging
> maybe one CVS commit a month (and worse, we are still = on CVS).
>
> We currently have no one to manage a release (well one possible),
> and no one volunteering to take on this work.
>
> If there is no one else taking this on then I will build a release,
> however I will also document it as being the last exim release as
> the development community is unable to sustain further work, so the
> only reasonable recommendation is for people to transition to a
> mailer that has long term support.
>
>        Nigel.
>
> --
> [ Nigel Metheringham             Nigel.Metheringham@??? ]
> [ - Comments in this message are my own and not ITO opinion/policy - ]
>
>
>
> --
> [ Nigel Metheringham             Nigel.Metheringham@??? ]
> [ - Comments in this message are my own and not ITO opinion/policy - ]
>
>
>
>
>